dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4

Analysis

max time kernel
42s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
Size

12.7MB
MD5

4c96923cf4a650d27e5f95c2ee78c6ee
SHA1

934641ca1dcf17829426b0cfb46de083425ad8a3
SHA256

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4
SHA512

8e458df1972d7d4add15c663ea7e95bb5d8ad37830f3a8067417b904b14d121e9ed2b0d7701b97f0468bc6935b5ba6762bbe7e2f532cc9558543566983c1717f
SSDEEP

196608:u07lhv4+zaZK4DT81o3LAKmP0R/7pS2E5RV9BYb3mnSdK/zvwpyFl1v6psjLm:x7zxzaZKt1o3IP0RsLRVk4fFl1v6pQ

Score

8^/10

evasion persistence ransomware upx

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ascaris.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

drawerror.exeGhost.exe

pid process

3032 drawerror.exe
2640 Ghost.exe
Loads dropped DLL 1 IoCs

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

pid process

2844 dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

pid	process
3032	drawerror.exe
2640	Ghost.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "c:\\cc.ico"	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ascaris.dll	upx
behavioral1/memory/2844-48-0x0000000010000000-0x00000000100B3000-memory.dmp	upx
behavioral1/memory/2844-60-0x0000000010000000-0x00000000100B3000-memory.dmp	upx
behavioral1/memory/2844-70-0x0000000010000000-0x00000000100B3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe"	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	process
File opened (read-only)	\??\i:	cmd.exe
File opened (read-only)	\??\l:	cmd.exe
File opened (read-only)	\??\q:	cmd.exe
File opened (read-only)	\??\s:	cmd.exe
File opened (read-only)	\??\w:	cmd.exe
File opened (read-only)	\??\g:	cmd.exe
File opened (read-only)	\??\o:	cmd.exe
File opened (read-only)	\??\t:	cmd.exe
File opened (read-only)	\??\u:	cmd.exe
File opened (read-only)	\??\v:	cmd.exe
File opened (read-only)	\??\y:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\k:	cmd.exe
File opened (read-only)	\??\n:	cmd.exe
File opened (read-only)	\??\p:	cmd.exe
File opened (read-only)	\??\r:	cmd.exe
File opened (read-only)	\??\x:	cmd.exe
File opened (read-only)	\??\z:	cmd.exe
File opened (read-only)	\??\j:	cmd.exe
File opened (read-only)	\??\m:	cmd.exe
File opened (read-only)	\??\h:	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "1.bmp"	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

Kills process with taskkill 16 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2436	taskkill.exe
8656	taskkill.exe
7848	taskkill.exe
9480	taskkill.exe
9852	taskkill.exe
10116	taskkill.exe
10176	taskkill.exe
2268	taskkill.exe
9788	taskkill.exe
10052	taskkill.exe
9728	taskkill.exe
9916	taskkill.exe
10236	taskkill.exe
8656	taskkill.exe
9576	taskkill.exe
9988	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "2"	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\TileWallpaper = "2"	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

Modifies registry class 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dat	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppt\ = "txtfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmv	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\ = "txtfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3gp	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg\ = "txtfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "c:\\cc.ico"	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

pid	process
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	8656	taskkill.exe
Token: SeDebugPrivilege	7848	taskkill.exe
Token: SeDebugPrivilege	9480	taskkill.exe
Token: SeDebugPrivilege	9576	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Ghost.exe

pid process

2640 Ghost.exe

pid	process
2640	Ghost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exeGhost.exe

pid	process
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
2640	Ghost.exe
2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2844 wrote to memory of 3032	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	drawerror.exe
PID 2844 wrote to memory of 3032	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	drawerror.exe
PID 2844 wrote to memory of 3032	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	drawerror.exe
PID 2844 wrote to memory of 3032	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	drawerror.exe
PID 2844 wrote to memory of 2640	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	Ghost.exe
PID 2844 wrote to memory of 2640	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	Ghost.exe
PID 2844 wrote to memory of 2640	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	Ghost.exe
PID 2844 wrote to memory of 2640	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	Ghost.exe
PID 2844 wrote to memory of 1264	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	cmd.exe
PID 2844 wrote to memory of 1264	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	cmd.exe
PID 2844 wrote to memory of 1264	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	cmd.exe
PID 2844 wrote to memory of 1264	2844	dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe	cmd.exe
PID 1264 wrote to memory of 2476	1264	cmd.exe	cmd.exe
PID 1264 wrote to memory of 2476	1264	cmd.exe	cmd.exe
PID 1264 wrote to memory of 2476	1264	cmd.exe	cmd.exe
PID 1264 wrote to memory of 2476	1264	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2236	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2236	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2236	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2236	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2700	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2700	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2700	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2700	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2548	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2548	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2548	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2548	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2668	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2668	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2668	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2668	2476	cmd.exe	cmd.exe
PID 1264 wrote to memory of 2436	1264	cmd.exe	taskkill.exe
PID 1264 wrote to memory of 2436	1264	cmd.exe	taskkill.exe
PID 1264 wrote to memory of 2436	1264	cmd.exe	taskkill.exe
PID 1264 wrote to memory of 2436	1264	cmd.exe	taskkill.exe
PID 2476 wrote to memory of 2504	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2504	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2504	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2504	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 756	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 756	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 756	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 756	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2932	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2932	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2932	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2932	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 1732	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 1732	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 1732	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 1732	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 108	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 108	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 108	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 108	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2772	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2772	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2772	2476	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2772	2476	cmd.exe	cmd.exe
PID 2236 wrote to memory of 2780	2236	cmd.exe	cmd.exe
PID 2236 wrote to memory of 2780	2236	cmd.exe	cmd.exe
PID 2236 wrote to memory of 2780	2236	cmd.exe	cmd.exe
PID 2236 wrote to memory of 2780	2236	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe
"C:\Users\Admin\AppData\Local\Temp\dc78949369ee4a27212536bec9e9cc12f80f27c8395b12f311e4f4b20b5f38a4.exe"
1⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844

\??\c:\drawerror.exe
c:\drawerror.exe
2⤵
- Executes dropped EXE
PID:3032

\??\c:\Ghost.exe
c:\Ghost.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\ÓðÒí.bat
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:7996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:8216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:5824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:5952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:6832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:5672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:6040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:6840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:8568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:5236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:5832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:8040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:8260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:7516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:8316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:7820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:6688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:5512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
- Modifies registry class
PID:7564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:7932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:6884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:8396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
6⤵
PID:8440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:5544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:6440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:8056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:8588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:5248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:6256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:7876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:5944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:6496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:6724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:6020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:7532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:5996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:7116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
- Modifies registry class
PID:7272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:8084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:8140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:6456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:7208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:8364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
5⤵
PID:8412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:6224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:6416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:6544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
4⤵
PID:8120

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 360tray.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add
3⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v nodrives /t REG_DWORD /d 60 /f
3⤵
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
3⤵
PID:5216

C:\Windows\SysWOW64\subst.exe
subst b: C:\
3⤵
PID:6368

C:\Windows\SysWOW64\subst.exe
subst h: C:\
3⤵
PID:7580

C:\Windows\SysWOW64\subst.exe
subst i: C:\
3⤵
PID:8528

C:\Windows\SysWOW64\subst.exe
subst j: C:\
3⤵
PID:8928

C:\Windows\SysWOW64\subst.exe
subst l: C:\
3⤵
PID:9204

C:\Windows\SysWOW64\subst.exe
subst m: C:\
3⤵
PID:8472

C:\Windows\SysWOW64\subst.exe
subst n: C:\
3⤵
PID:7872

C:\Windows\SysWOW64\subst.exe
subst o: C:\
3⤵
PID:7924

C:\Windows\SysWOW64\subst.exe
subst r: C:\
3⤵
PID:7976

C:\Windows\SysWOW64\subst.exe
subst t: C:\
3⤵
PID:8008

C:\Windows\SysWOW64\subst.exe
subst k: C:\
3⤵
PID:8152

C:\Windows\SysWOW64\subst.exe
subst p: C:\
3⤵
PID:7136

C:\Windows\SysWOW64\subst.exe
subst q: C:\
3⤵
PID:8276

C:\Windows\SysWOW64\subst.exe
subst s: C:\
3⤵
PID:7976

C:\Windows\SysWOW64\subst.exe
subst u: C:\
3⤵
PID:7136

C:\Windows\SysWOW64\subst.exe
subst v: C:\
3⤵
PID:8276

C:\Windows\SysWOW64\subst.exe
subst w: C:\
3⤵
PID:8052

C:\Windows\SysWOW64\subst.exe
subst x: C:\
3⤵
PID:6464

C:\Windows\SysWOW64\subst.exe
subst y: C:\
3⤵
PID:7952

C:\Windows\SysWOW64\subst.exe
subst z: C:\
3⤵
PID:8304

C:\Windows\SysWOW64\taskkill.exe
taskkill /im explorer.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7848

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
3⤵
PID:9284

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideClock /t REG_DWORD /d 1 /f
3⤵
PID:9296

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
3⤵
PID:9304

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t REG_DWORD /d 01000000 /f
3⤵
PID:9312

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
3⤵
PID:9320

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 0 /f
3⤵
PID:9328

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
3⤵
PID:9336

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f
3⤵
PID:9344

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\1.bat
2⤵
PID:8476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8656

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\±øÍÅ.bat
2⤵
- Enumerates connected drives
PID:9388

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\ascaris.bat
2⤵
PID:9456

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9480

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9576

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:9728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:9788

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:9852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:9916

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:9988

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:10052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:10116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:10176

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:10236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:8656

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
PID:2268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:8052

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.bat
Filesize
28B

MD5
ccff006fd8c4150a18669ced52244d6a

SHA1
743fe1b7fe0a8215fbb5eeeb95e55ba4f39cb01e

SHA256
3c32ecce41201efa27dd4e18d5d0b88c429fc9427829f565512e44b487ce120e

SHA512
114e98ad958e4cbdad94d24753c2a67a1080160c4fa35d9839420aa5de9f28446794c606b29d58f342f7316421ecfb877741957cd979736ea9fcfae06981bf79

Download Submit
C:\1.bat
Filesize
18B

MD5
c6c7b4dcc81c27c76c49dfd2acee715e

SHA1
ef6a2a2ccb276bc9a057cd0d6f0bd3867d1988b7

SHA256
edc099fdfa8210f123cdc51dfb3256cc7dc3c0af614fd63e3c1d6182bf37ae21

SHA512
b9d1aba58a20238e3870c9785a43d1c64273b3c332d545f8c363d02844214f6dcd3332c35281b2663ed2192728c33d915d457615c6f4057a1dccdea188d38898

Download Submit
C:\Ghost.exe
Filesize
20KB

MD5
69c97e6fcc20eda26024caedc87449f3

SHA1
1d784041e60c83b6b5bd1a644a5daff8d7ddb627

SHA256
a70f454dd1b123be4dda9ee8e22e3a5f414397b8a7ce221647d2e12f9244146a

SHA512
de7f603f33ac35ceb1ef769e9a349f3887be451af1d7ea71996496db9584f820c483ae4c6db672b2b47b2c9330effe2cffac6a30aafe9396edb78fb680f776ec

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
840B

MD5
cc86e1a5224fcaa035e618fa766d5b53

SHA1
09913248e3983ee751bddca919599e9f5a07685a

SHA256
1aaf0d85389d6359d30f2d0f0942f8e1369871e75350f4fbcf1edd79836d9926

SHA512
177ecec47415e30c91e46576f472b9371818c73964b02c275a3e8f525fc5f6436d911cbb36ee72de15907f8e9b4c2bc2b5bbe662f44762ecec1120a99a2eef3b

Download Submit
C:\ascaris.bat
Filesize
13KB

MD5
54552eebfc4c487d01daa63048efa72c

SHA1
7f0ef347eeae3b26efb3c24a83d03958cb7fa3ab

SHA256
b085349f14e199ee7344ae9120898da281b6d410d6b595dffddb55f3645a251f

SHA512
a1dc49c221da7ebe12229807664b164bc99bff4fa918cfd31a818ce779566b9e8d7eef22355b187dfa8d064d4ed92d164465a604ef79c824065a7e5e60669b23

Download Submit
C:\drawerror.exe
Filesize
9KB

MD5
a4b655c4580fad879c431ac265bd1409

SHA1
f98d37a7c2a5a24f7d6871c87d150de4417e00ad

SHA256
2eba41b0399d91c5677f9ead8beb2610f94026a6a91c84ff7a4f19cfafbe61ad

SHA512
af7124caef5babde34421550f1aef4c74b88ddd657c3eaf4af5887a61b6b8c31b09b199886cab92a87eb089502f049c11da266c900de02c8310058b4c704e854

Download Submit
C:\±øÍÅ.bat
Filesize
166B

MD5
32f678c01c8d5edca7ecaf35937259f6

SHA1
7079515682536cf2366bcdf0f44a8ce83a17c806

SHA256
80552c862831e82ffa22045b26efeef84e89576f0ab385b5b87d8467d98b9e94

SHA512
2833b2fd557b51505d8a2a251b664e51944c1a5e65109b76719d6ac970c3058159460b3d9205ab98ce65c32c066d52f1320fc79170c2b06a02c5ecbecaadcc7a

Download Submit
C:\ÓðÒí.bat
Filesize
2KB

MD5
8f0b90a560cc05a8fe5068d4db3087bd

SHA1
1d53e5256d162964cf38cf1d73ae6db8a633ea6d

SHA256
6db71de3499a83a9602d693e99d36127772c743b595e26f36c69cba2e2186f2e

SHA512
df375eac9903fbe5675806f078e0faf0bb7342737ee34359edd3e55866ce5ecd27b09c5e8fff06e1463fe2ebb18bfbf93ce19adbcee986effa1dcbcd34a602a6

Download Submit
\Users\Admin\AppData\Local\Temp\ascaris.dll
Filesize
224KB

MD5
4520eee1da294b6c8428cea200b81d18

SHA1
2d1478c5aef0934db397b8c593ec2432d9809b83

SHA256
9b2c140b6c47666024128b8ac9f1e8b2fe041caf6d286eec638018beb48394cd

SHA512
aff152ec0672597c483d15fe04fe7ddf55155827a2df588ab83efc45301cedb670be23a566ee8c268e497d33e21b48ee8723ad812d253f9d1f284e3324734ac0

Download Submit
memory/2844-48-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/2844-0-0x0000000000400000-0x00000000010CA000-memory.dmp

Filesize
12.8MB

Download
memory/2844-60-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/2844-70-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/3032-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads